Commit 713dce53 authored Oct 25, 2024 by Cong Wang Committed by Dong Chenchen Oct 25, 2024

gtp: fix a potential NULL pointer dereference

stable inclusion
from stable-v5.10.225
commit 8bbb9e4e0e66a39282e582d0440724055404b38c
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4H8
CVE: CVE-2024-46677

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8bbb9e4e0e66a39282e582d0440724055404b38c



--------------------------------

[ Upstream commit defd8b3c37b0f9cb3e0f60f47d3d78d459d57fda ]

When sockfd_lookup() fails, gtp_encap_enable_socket() returns a
NULL pointer, but its callers only check for error pointers thus miss
the NULL pointer case.

Fix it by returning an error pointer with the error code carried from
sockfd_lookup().

(I found this bug during code inspection.)

Fixes: 1e3a3abd ("gtp: make GTP sockets in gtp_newlink optional")
Cc: Andreas Schultz <aschultz@tpip.net>
Cc: Harald Welte <laforge@gnumonks.org>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://patch.msgid.link/20240825191638.146748-1-xiyou.wangcong@gmail.com


Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>

parent 4cebfb91

drivers/net/gtp.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -801,7 +801,7 @@ static struct sock *gtp_encap_enable_socket(int fd, int type,
		sock = sockfd_lookup(fd, &err);
		if (!sock) {
		pr_debug("gtp socket fd=%d not found\n", fd);
		return NULL;
		return ERR_PTR(err);
		}

		sk = sock->sk;